samba - Feb 2018 - Account is sensitive and cannot be delegated (userAccountControl NOT_DELEGATED flag 0x00100000)

On 6/1/2018 23:55, Andrew Bartlett wrote:
> On Sat, 2018-01-06 at 11:11 +0000, Antonios Kalkakos via samba wrote:
>> I have an AD with two Debian Stretch Samba 4.5.12 DCs. The Samba and
Heimdal Kerberos 7.1.0 packages are installed from Debian repositories.
Management is done from MS-RSAT installed on a Windows 7 Pro client.
>>
>> When I select the option "Account is sensitive and cannot be
delegated" (in Active Directory Users and Computers under the Account tab)
for a user account regardless of its privileges, the user cannot logon on any
client PC. Windows 7 responds "Logon failure: user account restriction.
Possible reasons are blank passwords are not allowed, logon hour restrictions,
or a policy restriction has been enforced" and a Debian Stretch client
responds "You are not allowed to logon from this workstation". The
Samba DC will provide a non-forwardable TGT, if you ask for it with kinit -F
command from the Linux client. Issuing the command kinit -f will again fail with
"krb5_get_init_creds: Ticket may not be forwardable".
>>
>> Investigation with Wireshark showed that after receiving an AS-REQ for
a TGT with the forwardable flag set, the Samba 4.5.12 DC responds a
KRB5KDC_ERR_POLICY with e-text "Ticket may not be forwardabale" (same
as kinit -f). This behavior is correct according to CVE-2016-2125
(https://www.samba.org/samba/security/CVE-2016-2125.html) which states:
>>
>> 0x00100000: UF_NOT_DELEGATED:
>> The UF_NOT_DELEGATED can be used to disable the ability to get
forwardable TGT
>> for the account. It means the KDC will respond with an error if the
client asks
>> for the forwardable ticket.  The client typically gives up and removes
the
>> GSS_C_DELEG_FLAG flag and continues without passing delegated
credentials.
>> Administrators can use this to disable possible delegation for the most
>> privileged accounts (e.g. administrator accounts).
>>
>> Upon the initial logon procedure however, both Samba 4.5.12 and Windows
7 clients will actually give up and not continue asking for a non-forwardable
TGT, which means that the user will be locked out.
>>
>> Testing with Wireshark on another AD with one Windows 2008 R2 DC showed
that the DC ignored the forwardable flag on AS-REQ and the user logged in
normally having a non-forwardable TGT. All subsequent TGS requests on the same
logon session from a Windows 7 client didn't have the forwardable flag set.
>>
>> Should I fill a bug for that, request to be added on Samba wiki or am I
doing something wrong?
> Yes, please file a bug.  Clearly we need a test for this.
>
> (Regarding Rowland's point, the Heimdal package on Debian won't
> actually be used by the Samba 4.5 package).
>
> Andrew Bartlett
I have filled Bug 13205 with a proposed patch. It also affects Samba 
versions 4.7.4 and 4.8.0rc2.

On Wed, 2018-01-31 at 16:15 +0000, Antonios Kalkakos
wrote:
> On 6/1/2018 23:55, Andrew Bartlett wrote:
> > On Sat, 2018-01-06 at 11:11 +0000, Antonios Kalkakos via samba wrote:
> > > I have an AD with two Debian Stretch Samba 4.5.12 DCs. The Samba
and Heimdal Kerberos 7.1.0 packages are installed from Debian repositories.
Management is done from MS-RSAT installed on a Windows 7 Pro client.
> > > 
> > > When I select the option "Account is sensitive and cannot be
delegated" (in Active Directory Users and Computers under the Account tab)
for a user account regardless of its privileges, the user cannot logon on any
client PC. Windows 7 responds "Logon failure: user account restriction.
Possible reasons are blank passwords are not allowed, logon hour restrictions,
or a policy restriction has been enforced" and a Debian Stretch client
responds "You are not allowed to logon from this workstation". The
Samba DC will provide a non-forwardable TGT, if you ask for it with kinit -F
command from the Linux client. Issuing the command kinit -f will again fail with
"krb5_get_init_creds: Ticket may not be forwardable".
> > > 
> > > Investigation with Wireshark showed that after receiving an
AS-REQ for a TGT with the forwardable flag set, the Samba 4.5.12 DC responds a
KRB5KDC_ERR_POLICY with e-text "Ticket may not be forwardabale" (same
as kinit -f). This behavior is correct according to CVE-2016-2125
(https://www.samba.org/samba/security/CVE-2016-2125.html) which states:
> > > 
> > > 0x00100000: UF_NOT_DELEGATED:
> > > The UF_NOT_DELEGATED can be used to disable the ability to get
forwardable TGT
> > > for the account. It means the KDC will respond with an error if
the client asks
> > > for the forwardable ticket.  The client typically gives up and
removes the
> > > GSS_C_DELEG_FLAG flag and continues without passing delegated
credentials.
> > > Administrators can use this to disable possible delegation for
the most
> > > privileged accounts (e.g. administrator accounts).
> > > 
> > > Upon the initial logon procedure however, both Samba 4.5.12 and
Windows 7 clients will actually give up and not continue asking for a
non-forwardable TGT, which means that the user will be locked out.
> > > 
> > > Testing with Wireshark on another AD with one Windows 2008 R2 DC
showed that the DC ignored the forwardable flag on AS-REQ and the user logged in
normally having a non-forwardable TGT. All subsequent TGS requests on the same
logon session from a Windows 7 client didn't have the forwardable flag set.
> > > 
> > > Should I fill a bug for that, request to be added on Samba wiki
or am I doing something wrong?
> > 
> > Yes, please file a bug.  Clearly we need a test for this.
> > 
> > (Regarding Rowland's point, the Heimdal package on Debian
won't
> > actually be used by the Samba 4.5 package).
> > 
> > Andrew Bartlett
> 
> I have filled Bug 13205 with a proposed patch. It also affects Samba 
> versions 4.7.4 and 4.8.0rc2.
Thanks for that.  The challenging task now is to write an automated
test for that, and double-check how Windows behaves.

I realise that is a big ask, but I wanted you to know why we can't just
merge the patch, as it would be really unfortunate for us to regress
again.  To make it even more tricky, we really need to get such a patch
 and a test upstream to Heimdal or confirm a similar fix is already
there, so we don't regress when we eventually update Samba's copy.  

And if that wasn't enough, we need to work out if changing the Heimdal
behaviour for their existing realms is actually OK, or if we need to
carve our a new flag bit for 'don't deny, auto-downgrade'.

All this makes a lot of work for such a simple patch, for which I will
understand your frustration.

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

On 1/2/2018 11:52, Andrew Bartlett wrote:
> On Wed, 2018-01-31 at 16:15 +0000, Antonios Kalkakos wrote:
>> On 6/1/2018 23:55, Andrew Bartlett wrote:
>>> On Sat, 2018-01-06 at 11:11 +0000, Antonios Kalkakos via samba
wrote:
>>>> I have an AD with two Debian Stretch Samba 4.5.12 DCs. The
Samba and Heimdal Kerberos 7.1.0 packages are installed from Debian
repositories. Management is done from MS-RSAT installed on a Windows 7 Pro
client.
>>>>
>>>> When I select the option "Account is sensitive and cannot
be delegated" (in Active Directory Users and Computers under the Account
tab) for a user account regardless of its privileges, the user cannot logon on
any client PC. Windows 7 responds "Logon failure: user account restriction.
Possible reasons are blank passwords are not allowed, logon hour restrictions,
or a policy restriction has been enforced" and a Debian Stretch client
responds "You are not allowed to logon from this workstation". The
Samba DC will provide a non-forwardable TGT, if you ask for it with kinit -F
command from the Linux client. Issuing the command kinit -f will again fail with
"krb5_get_init_creds: Ticket may not be forwardable".
>>>>
>>>> Investigation with Wireshark showed that after receiving an
AS-REQ for a TGT with the forwardable flag set, the Samba 4.5.12 DC responds a
KRB5KDC_ERR_POLICY with e-text "Ticket may not be forwardabale" (same
as kinit -f). This behavior is correct according to CVE-2016-2125
(https://www.samba.org/samba/security/CVE-2016-2125.html) which states:
>>>>
>>>> 0x00100000: UF_NOT_DELEGATED:
>>>> The UF_NOT_DELEGATED can be used to disable the ability to get
forwardable TGT
>>>> for the account. It means the KDC will respond with an error if
the client asks
>>>> for the forwardable ticket.  The client typically gives up and
removes the
>>>> GSS_C_DELEG_FLAG flag and continues without passing delegated
credentials.
>>>> Administrators can use this to disable possible delegation for
the most
>>>> privileged accounts (e.g. administrator accounts).
>>>>
>>>> Upon the initial logon procedure however, both Samba 4.5.12 and
Windows 7 clients will actually give up and not continue asking for a
non-forwardable TGT, which means that the user will be locked out.
>>>>
>>>> Testing with Wireshark on another AD with one Windows 2008 R2
DC showed that the DC ignored the forwardable flag on AS-REQ and the user logged
in normally having a non-forwardable TGT. All subsequent TGS requests on the
same logon session from a Windows 7 client didn't have the forwardable flag
set.
>>>>
>>>> Should I fill a bug for that, request to be added on Samba wiki
or am I doing something wrong?
>>> Yes, please file a bug.  Clearly we need a test for this.
>>>
>>> (Regarding Rowland's point, the Heimdal package on Debian
won't
>>> actually be used by the Samba 4.5 package).
>>>
>>> Andrew Bartlett
>> I have filled Bug 13205 with a proposed patch. It also affects Samba
>> versions 4.7.4 and 4.8.0rc2.
> Thanks for that.  The challenging task now is to write an automated
> test for that, and double-check how Windows behaves.
Windows clients (at least Windows 7, 8.1 and 10) always ask for a 
forwardable TGT. If the forwardable flag is set on the TGT, a forwarded 
TGT is obtained and the forwardable flag is set on subsequent ticket 
requests. If the forwardable flag is not set on the TGT, all subsequent 
ticket requests do not have forwardable flag set.
> I realise that is a big ask, but I wanted you to know why we can't just
> merge the patch, as it would be really unfortunate for us to regress
> again.  To make it even more tricky, we really need to get such a patch
>   and a test upstream to Heimdal or confirm a similar fix is already
> there, so we don't regress when we eventually update Samba's copy.
>
> And if that wasn't enough, we need to work out if changing the Heimdal
> behaviour for their existing realms is actually OK, or if we need to
> carve our a new flag bit for 'don't deny, auto-downgrade'.
>
> All this makes a lot of work for such a simple patch, for which I will
> understand your frustration.
>
> Andrew Bartlett
>
This is true. People at Heimdal did it for a reason, which means that 
apart from regression, changing it may break something else. And there 
may/should be a better way to solve it programmatically.